Ted was displeased at being laid off just before Christmas, and expressed his displeasure by launching a systematic attack on his former company’s network.
Three weeks following his termination, the insider used the username and password of his colleague to gain remote access to the network and modify several of the company’s files, web pages, and customer information.
He also sent an email to customers asking for their personal details and inserted malicious links in the body of the email message.
Ted’s actions are classified as ‘insider threat’ – incidents of sabotage committed by individuals who are authorized to use the information systems of companies they are of were employed by to penetrate harm.
Senior security researcher at Florida-based Immunity Alex McGeorge explains that the attacks surfacing inside of a network pose a greater threat than outside threats: when you expose that kind of surface to anyone, the potential for damage is greater.
A survey named ‘Boardroom Cyber Watch 2013‘ revealed that the outside threat-centric focus of organizations doesn’t provide a holistic security posturing, specifically from threats within, indicating the growing need for insider threat analysis. More than 50 percent of the respondents said that the greatest threat to their company’s computer systems and data, in fact, comes from their own staff members.
It is important to understand that there are several different categories of insider threat actors, and each of them represents significant challenges to organizations. Here are some distinct categories of these insiders:
Insider threat actors have caused financial and reputation damage to a plethora of companies over the years, after which many firms are giving serious consideration to insider threat analysis. The following are some of the recent instances of threat actor activities within organizations and the outcome:
It is important to recognize that common cybersecurity implementations such as security incident and event management, logging and actionable intelligence alone can’t prevent insider threats. In a survey conducted by The Ponemon Institute, 54 percent respondents said that they didn’t have a multi-disciplinary program in their organization to combat insider threats, and 17 percent said that they had a defined program, but the participants were limited to the IT department.
Instead of monitoring an employee’s every activity via surveillance cameras, companies can conduct insider threat analysis to reduce the risk. Analysis is essential for all activities, as it determines whether employees understand that the employer expects them to comply with the security policies and that their behavior to violate a business process or circumvent security implementation is likely not to go undetected. Behavior analysis should include files accessed, data transfer completed, accounts created, and any activity associated with moving data out of the company’s network.
Also, some industries and governments prefer to keep their current information security conditions disclosed, which makes data collection the most critical aspect in the reporting of insider threat analysis. In such industries, IT departments can only rely on appropriate open policy and cooperate with the R&D department to bring down the risk of insider threat.
Corresponding relationships between a solid structure and an organization with correct employee behavior can be established by constructing and analyzing activity in the company’s database, which will enable the security department of a company to investigate and detect illegal activity certainly and rapidly and then to take actions in the early stages to prevent illegal behaviors.
Company management should not allow the insider’s sense of achievement to increase beyond the permitted limit by implementing policies based on current analysis. When insiders start to behave in a way that is slightly more than permitted, their expectations rise, and this freedom creates a condition where increased expectations may lead to breach of access levels and unauthorized use of sensitive information.
Insider threat analysis depict the key reasons why security policies exist within organizations and the reasons which lead to malicious behavior. Providing instances of where insider activity occurred and where the IT security department failed to detect the activity, the information could serve as a deterrent in the future to prevent such activity.
Effective separation of incidents should be conducted after the analysis to ensure that access to critical functions are not associated to the same individual. Later, checks and balances should be implemented through approval and review processes so ‘malicious gaps’ are appropriately identified and controlled.
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Jonathan Sander is STEALTHbits’ Chief Technology Officer (CTO). As CTO, he is responsible for driving technical innovation, ensuring that STEALTHbits is well positioned in their current and emerging markets, and he will also lead corporate development efforts. Jonathan also plays the role of evangelist at STEALTHbits venues large and small. Prior to STEALTHbits, Jonathan was VP of Product Strategy for Lieberman Software.
As part of Quest Software from 1999 through 2013, he worked with the security and ITSM portfolios. He helped launch Quest’s IAM solutions, directing all business development and product strategy efforts. Previous to that, Mr. Sander was a consultant at Platinum Technology focusing on the security, access control and SSO solutions. He graduated from Fordham University with a degree in Philosophy.
Proper data security begins with a strong foundation. Find out what you're standing on with a free deep-dive into the security of your Structured and Unstructured Data, Active Directory, and Windows infrastructure.Read more